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ABSTRACT 

NASA Lewis Research Center and Rockwell 
International, Rocketdyne Division, are responsible 
for the design, development, and testing of the 
Space Station Freedom (SSF) Electrical Power 
System (EPS). The SSF EPS has evolved from an 
early baseline of a Hybrid Solar 
Dynamic/Photovoltaic Power Generation with 
20kHz AC power distribution system to a 
Photovoltaic power generation with a DC power 
distribution system. In order to help identify 
technology risks and system level issues during this 
EPS evolution, and during the design and 
development phase, a supporting development 
end-to-end Power Management and Distribution 
(PMAD) DC testbed program has been initiated 
and various phases completed. One of the testbed 
program main objectives is to build a power system 
testbed that will serve as the platform for the 
evaluation of various power system control 
techniques. These power system control techniques 
have been developed based on high level EPS 
system requirements and operating scenarios. 

Because of the Space Station Program 
Restructure that took place in November/December 
1990, the allocation of control functions between 
ground and on-orbit is being reassessed. However, 
because of the maturity of the work, it was decided 
to complete the original implementation of the 
control system described in this paper. Efforts are 
currently underway to adapt to this revised 
allocation of functions. 

The PMAD DC Testbed Control System has 
been developed using a top down approach based 
on classical control system and conventional 
terrestrial power utilities design techniques. The 
design methodology includes the development of a 
testbed operating concept. This operating concept 
describes the operation of the testbed under all 
possible scenarios. A unique set of operating states 
has been identified and a description of each state, 
along with slate transitions, was generated. Each 


state is represented by a unique set of attributes and 
constraints, and its description reflects the degree 
of system security within which the power system 
is operating. Using the testbed operating slates 
description, a functional design for the control 
system was developed. This functional design 
consists of a functional outline, a text description, 
and a logical flowchart for all the major control 
system functions. 

The detail design phase consists of performing 
functional decomposition and allocation of the 
functional design, and generating detailed 
flowcharts, or pseudo code, input/output 
descriptions, timing and data format constraints, 
and software implementation considerations. A 
software implementation of the detail design 
includes the generation of a Software Requirement 
Specifications and a Software Development Plan. 

This paper describes the control system design 
techniques utilized, a brief description of the 
various control system functions, and the status of 
the design and implementation. 

INTRODUCTION 

The NASA LeRC DC PMAD Testbed is a 
reduced scale representation of the EPS on the 
SSF. The testbed program's main objective is to 
support the identification of electrical power system 
technology risks and system level issues during the 
design and development phase of the SSF EPS. 
In addition, the unique capabilities afforded by the 
testbed will allow the evaluation of candidate power 
system design concepts, and early prototypes of 
space power components. System level issues like 
end-to-end system stability, power system 
protection, power system control, and subsystems 
interactions, among others, are being evaluated in 
the testbed. A complete description of the 
development and evolution of power system 
testbeds to support the Space Station Freedom 
Program is found in reference [1], 
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In its final configuration, the PMAD Testbed 
will consist of two DC power channels as shown 
in Figure i. Each power channel consists of a Solar 
Array Sequential Shunt Unit (SSU), a DC 
Switching Unit (DCSU), Battery Charge and 
Discharge Units (BCDU), Battery Simulators, a 
Main Bus Switching Unit (MBSU), DC to DC 
Converter Units (DDCU), Secondary Power 
Distribution Units (SPDU), Tertiary Power 
Distribution Units (TPDU), and Load Converter 
Units (LCU). A detailed description of the DC 
Testbed architecture and all its major components 
is found in reference [2]. 

CONTROL SYSTEM DESCRIPTION 

The SSF EPS, because it spans the entire SSF 
structure, lends itself to a distributed control system 
architecture. The DC testbed control system, in its 
final configuration, will consist of eleven standard 
controllers arranged in a distributed, hierarchical 
architecture as shown in Figure 1. This hierarchical 
control system provides the monitoring and control 
functions for the testbed power system. The testbed 
control system requirements are to continuously 
monitor and determine the state of the testbed 
electrical power system, and to periodically provide 
its status to the Operator Interface System (OIS). 
The control system design will augment power 
system fault protection and provide manual and 
automatic power component control. 

The overall testbed operation is overseen by the 
OIS. The OIS serves as the testbed operator 
interface and provides some of the functions that 
the Operations Management System (OMS) will 
perform for the SSF EPS. The Power Management 
Controller (PMC) is the highest level controller in 
the EPS, and serves as the overall EPS coordinator. 
The PMC performs all high level functions 
associated with the operation of a safe and robust 
power system. The PMC coordinates the various 
levels of the hierarchy; it receives high level 
commands from the OIS and provides EPS status 
information to the testbed operator. 

The PMC coordinates the operation of the 
control system subsidiary controllers. The lower 
level controllers consist of Photovoltaic Controllers 
(PVC) and Main Bus Controllers (MBC). The 
PVCs provide monitoring and control functions to 
the SSUs, BCDUs, and switchgear (Remote Bus 
Isolators, RBIs) tlfat comprise the DCSU. The 
MBCs monitor and control the operation of the 
DDCUs and the RBIs that comprise the MBSUs. 
A Load Management Controller (LMC) serves as 
the secondary and tertiary power distribution 


controller and coordinates the operation of the 
Secondary Power Controllers (SPC) and Tertiary 
Power Controllers (TPC). The S PCs control the 
operation of the switchgear that comprises the 
Secondary Power Distribution Units and the TPCs 
control the operation of the switchgear that 
comprises the Tertiary Power Distribution Units. 
The secondary and tertiary switchgear consists of 
RBIs and Remote Power Controllers (RPCs). The 
LMC provides the PMC with secondary and tertiary 
power distribution status information; although this 
function is not currently in WP-04, it is needed to 
demonstrate end-to-end operation of the testbed. 
A hierarchical, functional breakdown of the control 
system is shown in Figure 2. In this diagram, the 
major functions associated with the different levels 
of the architecture are shown allocated to the 
various controllers. 

The control system standard controllers are 20 
MHz, Compaq 386/20e personal computers. Each 
standard controller is configured with operating 
software and the appropriate peripheral hardware 
to perform its given function. The PMC provides 
command and control data to the subsidiary 
controllers via an 802.4 Token Bus, local area 
network. The subsidiary controllers provide 
command and control data to the testbed power 
components via a MIL STD 1553B Data Bus. 

CONTROL SYSTEM STATES 

The operation of the DC Testbed power system 
can be represented using state space analysis and 
conventional terrestrial utility power system design 
techniques. A state transition diagram of the DC 
testbed power system is shown in Figure 3. The 
testbed power system is considered to have seven 
operating states. Each state is described by a 
unique set of attributes and constraints, and 
characterizes the degree of system security within 
which the power system is operating. The operating 
states can be classified as being either MANUAL 
or AUTOMATIC, based on the degree of operator 
intervention that is required to operate the testbed. 
The testbed is operating in the MANUAL mode 
when the testbed operator is in complete control 
of the testbed components. The operator can 
select a testbed configuration and can set testbed 
component operating parameters to satisfy a 
specific component or subsystem test. The 
MANUAL mode of operation is unique to the 
testbed and is being used extensively during 
integration of the various elements of the testbed 
and during evaluation of power system design 
concepts. 
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Figure 1 DC PMAD Test Bed Control System Block Diagram 


The AUTOMATIC mode of operation is 
characterized by the autonomous operation of the 
testbed EPS. The functions that comprise the 
AUTOMATIC mode of operation are designed to 
maximize the degree of power system security. 
System security is a function of the robustness and 
efficiency with which the power system reacts to 
disturbances. Power system disturbances include 
overloading by the users and faults and failures 
within the power system. Unlike a terrestrial utility 
power system where loads can be turned on and off 
without being scheduled, the SSF will have to 
scheduled loads carefully due to limited power 
source capacity. Consequently, the SSF will 
require a highly autonomous EPS for maximum 
power utilization. The functions that comprise each 
of the AUTOMATIC states will consist of a 
combination of power system hardware, and power 
system control software and hardware. Scheduled 
disturbances within the operating constraints are 
dictated by a Short Term Plan (STP). The STP 
is a time correlated load schedule that is provided 


to the testbed control system by the OIS, and 
represents the users load requirements as a function 
of time. 

The six autonomous states of operation are: 
START-UP, SHUT-DOWN, NORMAL, 
ALARM, EMERGENCY, and RESTORATIVE. 
The Start-Up and Shut-Down states are unique to 
the testbed and are considered for completeness in 
the state space analysis. These states comprise the 
necessary functions to perform an orderly and safe 
start-up and shut-down of the testbed components. 
The other four states are commonly found in utility 
power system security monitor designs [5J. 

The NORMAL stale of operation is 
characterized by a high degree of system security. 
The power system is operating in the NORMAL 
state if the STP is being serviced autonomously, the 
power distribution hardware is operating within 
rated values, sufficient energy is available to satisfy 
the users, and power system constraints are not 
violated. 


3 



















Test Bed Operator 



Figure 2 Hierarchical Functional Breakdown 


The ALARM state of operation is 
characterized by a decrease in the system security 
level. The power system monitoring function has 
detected a contingency that decreases the operating 
margins. The functions that comprise the ALARM 
state are suited to try to remove the contingency 
and return the power system to its NORMAL state 
of operation. The ALARM state is not a secure 
state and consequently the power system control 
will try to transition the system to NORMAL state. 
If these control functions fail, the system transitions 
to the EMERGENCY state. 

The EMERGENCY state of operation is 
characterized by a drastic reduction of system 
security. In this state the power system operating 
condItiohs_are degrading and" operator Intervention 
has been requested".* in this unsecured state , the 
operator will manually reset parameters in order to 
transition the system to a more secure state. The 
users load requirements in the STP cannot be fully 
met and system operating parameters are violated. 
The operator takes the appropriate actions to 
transition the power system to the RESTORATIVE 
state. In the testbed, the operator has the option 
to shut-down the testbed power system partially or 
completely to avoid further damage. In the Space 


Station Freedom the scenario will be slightly 
different with the station management system taking 
appropriate action to transition the system to a 
secure state by either shutting down portions of the 
power system or sending repair crews to fix the 
problem. 

The RESTORATIVE state is a transitional state 
and its major function is to restore the power system 
to a safe operating condition. The functions that 
comprise this state are designed to transition the 
power system to the NORMAL slate. The power 
system can transition back to the EMERGENCY 
state, from which automatic safing again is 
implemented. The ALARM, EMERGENCY, and 
RESTORATIVE states of operation can be 
collectively referred to as Off-NORMAL Stales. 


CONTROL ALGORITHMS DESCRIPTION 

The state diagram shown in Figure 3 represents 
the operation of the testbed power system. The 
power system is composed of three elements: the 
power distribution system - ha rdware , power syslem 
control hardware, and the power system control 
software. The functions that comprise each one of 
the states depicted in the testbed state diagram are 
implemented by a combination of the three 
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elements described above [3]. The remainder of 
this paper will address the functions being 
implemented by the control system hardware and 


software. 



Table 1 lists the allocation of the major control 
algorithms for the different states of the power 
system. A complete functional design of the control 
system algorithms that implements the state diagram 
shown in Figure 3 has been completed at the NASA 
LeRC. Each power system state is characterized 
by a unique set of attributes, which can be 
translated into functions that can be implemented 
either as algorithms or hardware functions. All the 
functions defined up until now can be classified 
either as cyclic, or synchronous, or event driven. 
A cyclic function is based on the periodic 
occurrence of a task or a known disturbance. Event 
driven functions are activated by the detection of 
an unscheduled disturbance in the power system. 
Most of the work completed at NASA LeRC has 
been in the area of NORMAL state of operation. 
The following is a detailed description of the major 
functions that comprise the NORMAL state of 
operation and provides an insight into the 
specifications needed for software implementation. 

The NORMAL State algorithms are classified 
as either event driven or cyclic functions, and are 
collectively referred to as NORMAL State 
Processing. The cyclic functions include Short 
Term Plan (STP) Implementation, System 
Monitoring, and Off-NORMAL Detection. The 


event driven functions include Operator Override 
and Off-NORMAL Processing. 

Optimal operation of the power distribution 
system will require that: 

(1) The control computers pre-approve user 
loads for operation during specific time slots. 

(2) The control computers accurately monitor 
the power system. 

(3) The control computers backup the hardware 
protection schemes. 


J 

CONTROL! 
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7 
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7 

7 
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STP Implementation 
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7 
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7 

Fault Protection 
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7 

Contingency 

7 





Table 1 Functional Allocation 
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SH.QRX.IERM PLAN & SYSTEM INITIALIZATION 

System Initialization can be defined as the 
sequence of procedural calls which, based on 
present system constraints and parameters, 
determines the appropriate setpoints for the system 
to operate in a NORMAL State during the 
upcoming user demand cycle. 

Unlike a terrestrial utility’s load profile which 
is statistically predicted, Space Station Freedom’s 
STP must be carefully planned and regulated due 
to the limited energy availability. The STP defines 
the load type, location, and the peak and nominal 
requirements for users, batteries, and DDCUs. The 
STP is created by the Operator Interface System , 
using a default topology and ideal hardware 
parameters, and is verified before the testbed is 
"turned-on.” However, the runtime conditions will 
cause these parameters to change and preclude 
certain topologies (e.g., sources available). Thus, 
the objectives of STP Implementation, which is a 
dynamic process, are to ensure energy availability 
throughout the operating orbit, ensure safe 
operation of the power distribution hardware, 
accommodate changes in the distribution system’s 
runtime parameters (e.g., topology, line 
parameters, DDCU efficiencies, actual energy 
available), and adjust setpoints (e.g., battery 
operation mode, source balancing, and hardware 
trippoinls). 

Because the user loads are fed by DDCUs, each 
channel of the testbed power distribution system is 
broken into a primary and two subsidiary 
distribution systems (Figure 1). This leads to three 
initialization procedures: one for the PMC and two 
for the LMC. The tool used to initialize the 
subsystems is Load Flow [Ref. 6], because constant 
power, current, and resistive loads are defined. 

The LMC implements two STPs which define 
the specific user loads (i.e., the loads connected to 
the Tertiary Power Distribution Units). The PMC 
implements an STP which characterizes the loading 
of the DDCUs (as predicted by the LMC and 
reflected to the primary distribution system). 

Each subsystem initialization requires two load 
flows. One is for nominal load requirements, and 
the other for peak requirements. The objectives 
of each are given below. 

Nominal requirements must be analyzed to: 

(1) Initialize the digital filters. 

(2) Assure nominal operating voltages are 
acceptable. 

(3) Assure sufficient energy and power for 
users. 


(4) Assure that the steady state ratings of 
hardware are not exceeded. 

Peak demands are analyzed to: 

(1) Set the "soft limits” on switchgear. These 
are the maximum expected current flows and 
minimum voltages, and serve as thresholds to set 
Caution & Warning flags. The "soft limits” of 
hardware are the expected maximum values, which 
are below the ratings of a device. 

(2) Determine the maximum energy and 
power required from the sources. 

(3) Seed the Power Interrupt Detection 
algorithms. 

Limited, predictive, autonomous, 

batch-contingency analyses are implemented 
whenever the present system setpoints and 
topological parameters would result in an unsafe or 
unacceptable operating point. Violations include 
insufficient energy, over-stressed sources and 
hardware, and unacceptable bus voltages. 

Upon completion of an acceptable operating 
point, the LMC and PMC send the results of their 
respective initialization procedures to the subsidiary 
controllers. The subsidiary controllers (MBC, 
PVC, SPCs, and TPCs) control and monitoring 
functions are then initialized, according to the load 
flow results. The system is then ready to implement 
the setpoints at the onset of the next demand period 
and continue system monitoring. 

SYNCHRONOUS SYSTEM MONITORING & 

POWER SYSTEM PROTECTION 

System Monitoring can be defined as the 
process in which controllers periodically and 
synchronously sample and collect sensor data, 
smooth it, analyze it for acceptable system 
performance, and prepare an appropriate message 
for a control node, which implements the required 
control function. 

By definition, the power system must be 
monitored for the following reasons: 

(1) To ensure the safe operation of the system. 

(2) To track energy consumption and storage. 

(3) To verify locally detected power interrupts 
and faults. 

(4) To smooth data and update the Operator 
Interface System with EPS operating parameters. 

System Monitoring occurs at two levels. The 
local processors (PVC, MBC, SPCs, and TPCs) 
collect data synchronously, and the PMC 
asynchronously receives the MBC and PVC data to 
perform an asynchronous, but periodic, slate 
estimation (SE) [Ref. 7j. 
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Power system operating points, voltages and 
currents, are sampled at a 10Hz rate in the testbed 
[4J. All sampled data is digitally filtered by a third 
order, Butterworth algorithm, which smooths out 
load modulations, reduces the effects of sample 
skewing, and reduces the occurrences of ’’bad data 
identification” by the SE. Data which is smoothed 
by the Butterworth filter is referred to as prefiltered. 

It should be stressed that the software 
monitoring and protection schemes are intended to 
be a backup to the hardware. As such, the response 
times of the software are slower than the worst case 
hardware times, but not so slow as to cause 
continued, degraded or dangerous system 
operation. An overview of the levels of backup is: 

(1) At the tertiary distribution levels the 
controllers implement undervoltage detection 
(UVD), power interrupt detection (PID), and 
overcurrent detection (OCD) algorithms. 

(2) At the secondary distribution levels the 
controllers provide backup protection to the 
DDCUs and secondary subsystems. Thus, in 
addition to UVD, OCD, and PID, bus and line hard 
fault detection (HFD) are implemented. HFD is 
implemented in the LMC because the TPCs and 
SPCs do not have access to all required data. 

(3) At the primary distribution level, the 
software should provide backup protection for the 
sources, roll rings, switchgear, and distribution 
lines, and it should ensure energy availability. 
Thus, UVD, PID, OCD, and HFD are all 
implemented in the MBC and PVC. Furthermore, 
SE is implemented in the PMC to detect ’’soft 
faults” on lines and buses. 

PID, which is resident in all subsidiary 
controllers, uses two consecutive, unfiltered values 
and a boolean expression (Eq. 1) to identify a 
power interrupt condition in switchgear that is 
expected to be closed (E=l) and carrying power. 
Unfiltered values are used because fast action is 
required. The required electrical values are voltage 
and current. If the readings are greater than 60% 
of the expected minimum values, then the logical 
terms V and I are set to ”1,” else they are set to 
”0.” Also, switchgear provides the following 
additional information: a relay status bit (l=closed, 
0=open) and a trip bit (l=tripped, 0=not tripped). 
The trip bit is used to indicate whether the PI is a 
result of a local (T=l) or upstream (T=0) ’’fault.” 


PI = E(V k V k , { + I k I k _) 
k = present sample 


Under Voltage Detection uses prefiltered data 
to identify bus voltages operating under 90% of the 
expected minimum value, but over the 60% ’’power 
interrupt value.” Thus, this is ’’brownout 
detection.” Furthermore, because there are 
redundant (at least two) voltage measurements at 
each bus, the UV condition is detected only if a 
majority of readings agree to within sensor 
accuracies. 

OCD scans the switchgear readings for currents 
in excess of the expected peak values (’’soft” 
overcurrents) and over the device ratings (’’hard” 
overcurrents). Because caution & warnings or 
preventative control should not be implemented 
due to transients, OCD uses prefiltered data. 

HFD (bus and line) is also performed in the 
subsidiary controllers with prefiltered values, and 
is referred to as "hard” because the level of faults 
detectable is limited to values greater than 
full-scale, sensor accuracies of the actual current 
flow. (Thus if a line is carrying 100 Amps, 5% 
measurements can only detect faults greater than 
approximately 5Amps.) The method used to detect 
such faults is differential protection, which simply 
requires that the sum of currents into a node equal 
zero. Applied to measurements in the testbed, this 
requirement translates to the generalized nodal 
equation (Eq. 2). 


Eq. 2 


i n - Are input currents , L0 + Acc 
1.0 + Acc £ output currents ~ ^ cc 
Acc = Measurement accuracy 


A description of the software implementation 
of the above mentioned functions in the Ada 
programming language is found in reference [4). 

CONCLUSIONS 

Unlike terrestrial utility power systems, the SSF 
EPS will have to carefully schedule and monitor 
loads, due to the limited available energy. The EPS 
control system will play an important roll when 
maximizing the use of electric power in the Space 
Station Freedom. In its initial configuration, the 
SSF EPS control system functionality will be kept 
to a minimum to comply with program constraints. 
As the SSF EPS evolves and becomes operational, 
the EPS control system functionality is expected to 
approach that of an autonomous electrical power 
system. The SSF EPS control system functions will 
be implemented on board the space station and in 
the ground based control center. This paper has 
presented power system control algorithms, being 
implemented in the PMAD DC Testbed, that are 
considered to be essential to the operation of an 
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autonomous electrical power system. These 
algorithms are candidates for implementation on 
board the Space Station Freedom, or in the ground 
control center. 
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identified and a description of each state, along with state transitions, was generated. Each state is represented by a 
unique set of attributes and constraints, and its description reflects the degree of system security within which the 
power system is operating. Using the testbed operating states description, a functional design for the control system 
was developed. This functional design consists of a functional outline, a text description, and a logical flowchart for 
all the major control system functions. The detail design phase consists of performing functional decomposition and 
allocation of the functional design, and generating detailed flowcharts, or pseudo code, input/output descriptions, 
timing and data format constraints, and software implementation considerations. A software implementation of the 
detail design includes the generation of a Software Requirement Specifications and a Software Development Plan. 
This paper describes the control system design techniques utilized, a brief description of the various control system 
functions, and the status of the design and implementation. 


